The Payment Service Regulations 2017 (the 'Regulations') replaced the Payment Services Regulations 2009 and set out the rules relating to all 'payment services' including the services provided by banks, building societies and debit card providers.
It brings the European payments law, known as the second Payment Services Directive - or PSD2 - into UK law.
The Regulations also outline what consumers can expect their bank to do if there has been unauthorised use of their account details or their debit cards.
The principles in the Regulations sets out the rules that all service providers (including banks, building societies and card providers) must follow.
The Payment Service Regulations 2017 set out what payment service providers must do if there has been unauthorised or fraudulent activity on your account.
Subject to the exceptions noted in this guide, you should be able to get your money back as long as your provider can't prove that you hadn't taken reasonable steps to keep your card or account information secure.
If your debit card is lost or stolen and then used to buy something, and you report the unauthorised transactions without undue delay, your debit card provider should refund you immediately.
However this is subject to the following exceptions:
However, your debit card provider can't make any deduction or refuse to refund you if the disputed transaction was made after you had reported the card lost or stolen.
If the unauthorised payment(s) caused you to incur interest or any other charges (such as an overdraft fee, for example), your debit card provider must also refund those charges so that you are in the position you would have been in if the unauthorised payment had not taken place.
The Consumer Credit Act says that if your credit card is lost or stolen and used without your consent, the most you should be responsible for is the first £50 of any unauthorised transactions made before you reported the card missing.
The Regulations can also help if there is a transaction on from your debit account that you didn't authorise.
For example, if your debit card has not been lost or stolen and someone else uses the card details to buy something (for example if a card is cloned, your account data is lost in a data breach, or someone uses details you gave to a retailer when buying an item over the phone or online), then the Regulations mean you should be refunded in full as long as your report the unauthorised transaction promptly.
The Regulations treat unauthorised card usage the same as they do lost or stolen cards. As outlined above, if your provider can show that you hadn't taken reasonable steps to protect the security of your card (i.e. your PIN or online security details) you could be liable for the first £35 of any loss you incur.
And if your provider can show that you acted fraudulently, you won't be entitled to any refund.
As with lost or stolen cards, if you were grossly negligent, then the service provider can refuse to credit any money back to you - except where your card or account details were used to enter into a distance contract under the .
The regulations require stronger customer authentication to reduce the risk of fraud.
This means that in order to access your data or accounts, you'll have to take two or more independent actions in order to log in. This could include: